Bymer

Effects

Bymerhas been programmed to spread to other computers through networks.

Infection strategy

Bymerfollows the infection routine below:

It searches for IP addresses at random.

When it finds an IP address that allows access to the C:drive of a computer, the virus copies itself to theWindows/Systemdirectory under the following name:WININIT.EXE.

Bymerwill not spread to computers where the Windows/System directory does not exist (for example computers running under Windows NT, Windows 2000, etc.).

Bymercreates the following files:

DNETC.EXEandDNETC.INI, which are part of the RC5 application (distributed client process), not of the worm. Although Bymer installs these files, they are not part of it, which means that these files are not dangerous.

Bymer modifies the following file:

WIN.INI, to which it adds the following value:[windows]load=C:\ WINDOWS\ SYSTEM\ WININIT.EXEWhen the infected computer is restarted, Bymer deletes the value it inserted in the WIN.INI file and creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run bymer.scanner = "c:\ windows\ system\ wininit.exe"By modifying this entry, Bymer ensures it is run every time the computer is started up.